BIPI
BIPI

Lateral Movement Techniques: PsExec, WMI, WinRM, PtH, and OPSEC Trade-offs

Cybersecurity

Lateral movement is the longest phase of most engagements. A practical comparison of PsExec, WMI, WinRM, Pass-the-Hash, and the OPSEC trade-offs of each.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 6, 2024 · 11 min read

#lateral-movement#active-directory#red-team#opsec

Lateral movement is the longest, loudest, and most over-tooled phase of a typical engagement. Most operators learn three commands and rotate them. Defenders, meanwhile, have got considerably better at catching the obvious ones. This is a working comparison of the major techniques, what each generates on disk and in logs, and how to choose between them.

Pass-the-Hash and the credential layer

Before you can move laterally, you need a credential. PtH lets you use an NTLM hash directly without cracking, valid for any protocol that supports NTLM authentication: SMB, WinRM with HTTP transport in some configs, MSSQL, IMAP, and others. Pass-the-Ticket does the same for Kerberos with TGTs or TGSs. Overpass-the-Hash forges a TGT from an NTLM hash via Rubeus or Mimikatz.

  • Mimikatz: sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH /run:cmd
  • impacket: psexec.py -hashes :NTLMHASH corp.local/admin@target
  • Rubeus: asktgt /user:admin /rc4:HASH /ptt for overpass-the-hash

PsExec

The classic. Drops a service binary on ADMIN$, registers a service, executes, returns output via a named pipe. Loud, durable, and reliable. Detection is mature: 5145 event for ADMIN$ access, 7045 service install, 4697 service install with PSEXESVC or randomly named service.

Variants: smbexec (no binary drop, uses cmd.exe with stdin redirection), atexec (scheduled tasks), wmiexec (via WMI). Each has different artifact and log surface.

WMI execution

WMI is quieter than PsExec, faster, and harder to detect by default. wmiexec.py from impacket spawns a remote process via Win32_Process.Create and reads output via a temporary share. WMI Event Subscriptions are also a classic persistence path, especially the __EventFilter plus CommandLineEventConsumer combination.

  • Event 19 in the WMI-Activity log captures suspicious subscriptions
  • Sysmon Event 20 covers WMI consumer creation, 21 for filter, 22 for binding
  • wmiexec.py corp.local/admin@target -no-output for a quieter variant

WinRM and PowerShell Remoting

WinRM uses HTTP or HTTPS for transport and is increasingly the cleanest lateral path on modern Windows. Enter-PSSession and Invoke-Command leave clean session traces that look like normal admin activity. Evil-WinRM is the standard offensive tool. Authentication is Kerberos by default, NTLM optional, and CredSSP for credential delegation when needed.

Detection lives in PowerShell logging (4103, 4104) and WinRM operational logs. If a target has Module Logging and Script Block Logging enabled, your activity is fully recorded.

SSH and the cross-platform reality

Modern Windows includes OpenSSH server as an optional feature, increasingly enabled. SSH key abuse, especially when authorized_keys files are writable, gives a quieter lateral path that bypasses most Windows-specific detection content. Linux estates inside otherwise-AD networks are routinely overlooked.

The operator who picks the method that matches the environment's logging posture wins. The operator who always picks PsExec gets caught.

OPSEC comparison

  1. PsExec: highest detection rate, simplest fallback, useful when speed matters and detection does not.
  2. WMI: middle ground, often missed by default Sysmon configurations, captured by tuned ones.
  3. WinRM: cleanest in environments with Module Logging off, fully visible where on.
  4. DCOM (MMC20.Application, ShellWindows): occasional bypass of WMI-focused detections.
  5. Scheduled tasks (schtasks remote, atexec): persistence-friendly but loud on creation.
  6. SSH on hybrid networks: quiet on Windows side but logged on the sshd side.

Detection content that catches most of this

  • 4624 type 3 logons from a workstation source IP to multiple servers in a short window
  • 5145 access to ADMIN$ or C$ from non-admin source
  • Sysmon 1 (process create) where ParentImage is services.exe and Image is randomly named
  • PowerShell 4104 with high-entropy script blocks or base64 over a threshold
  • WMI-Activity 5861 for permanent consumer creation

Remediation

  1. Tier the administrative model. Tier 0 admins cannot log on to Tier 2 hosts.
  2. Microsoft LAPS for local administrator passwords. No reuse, ever.
  3. Credential Guard on every workstation and server that supports it.
  4. Restrict NTLM via the audit-then-block rollout. Push everything to Kerberos.
  5. Module logging and Script Block logging on for all PowerShell hosts, forwarded to the SIEM.
  6. Block lateral SMB and WinRM between workstations via host firewall.

Lateral movement is no longer a binary of caught or missed. It is a curve, and where you land on that curve depends on the technique chosen, the logging posture, and the discipline of the operator. Defenders who measure that curve continuously close the gap. Attackers who do not adapt get caught.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.